This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.
82d002207d92e79c81d147d0cbc73594This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.
2bf9e1106acf9e1f0a7b618fe7f2da3fSome distributions make virtfs-proxy-helper from QEMU either SUID or give it CAP_CHOWN fs capabilities. This is a terrible idea. While virtfs-proxy-helper makes some sort of flimsy check to make sure its socket path doesn't already exist, it is vulnerable to TOCTOU. This exploit should spawn a root shell, eventually, on vulnerable systems.
e37a54d0b5f93a8c1e4770a98e1e8cb2This is an exploit for W3 Total Cache called W3 Total Fail that works by attempting to guess SQL queries that might contain important password hashes.
fd227400a61545694be5ef12f6ca1b6cViscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.
310eead57ed8a1879d25cfaf62404d5bTunnel Blick suffers from a race condition that allows for local root execution.
0870a65fba1991804a8eda167bec3000Pwnnel-Blicker is a second local root exploit for Tunnel Blick OS X OpenVPN manager.
00ab722f2ba1b1ee134371e96d761d4aThis is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.
50b274079f83341f00a4ec625f3359dbThis is an amusing method of spawning an xterm using a macro in OpenOffice.org when using a Linux box.
7a067777b40660c6917a9b8490577699glibc LD_AUDIT arbitrary DSO load local root exploit that leverages a race condition to escalate privileges.
040e70e9bcf90b836fd3dd059e51a15eCalibre E-Book Reader local root race condition exploit that subverts recent changes preventing symlinks and checking path prefixes.
d7de7d66784b296235b391ff4165a7caCalibre E-Book Reader local root exploit that uses the mount helper to mount a vfat filesystem over /etc and then tinkers with /etc/passwd to make the root password toor temporarily.
2788d09f0cb78cd65e4b0baa83886e47Calibre E-Book Reader local root exploit that leverages PATH manipulation and a suid mount helper.
5856dee869f4b3b8329ee45b64343177PolicyKit versions 0.101 and below local privilege escalation exploit.
2f9af8cc142e7792fe8eda4a952fdd24Linux kernel versions prior to 2.6.37-rc2 TCP_MAXSEG kernel panic denial of service exploit that triggers a divide by zero error in net/ipv4/tcp.c.
c004656f07ac5706e1e61d31039304adFreeBSD versions 6.4 and below Netgraph local privilege escalation exploit.
584297acff886b60a6c2d0e54c6829f0
© 2016 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed